US Government Is Still In Turmoil Over Cyber Defense

The giant OPM Hack of 2014 reverberates as the US Government finds that it still lacks the fundamentals of a robust cyber-defense.

The White House Office of Personnel Management has recently published a report, which is depressing news for an agency that has been in more-or-less continuous turmoil since a devastating cyber-attack in March 2014. 

That attacks stole the sensitive personal information of some 25 million US government employees, including millions of security clearance files, from the agency files and those of two of its important contractors. The fingerprint data of some 5.6 millions of those employees was also stolen. 

According to a scathing report on the break-in published two months ago by the Republican majority on the House Committee on Oversight and Government Reform, the intelligence value of the theft, carried out from China, “cannot be overstated, nor will it ever be fully known.”  

The report notes that the agency is still suffering from high staff turnover in sensitive info-security jobs and top management, including five Chief Information Officers in three years, as well as longstanding failures to check security controls on computer systems to make sure they are adequate.

It is also lethargic in dealing with a variety of longstanding security weaknesses and has still not taken action on scores of security recommendations laid out in previous Inspector General reports, some made years before the catastrophic hack. 

Among other things, the report notes that only two of the agency’s major computer applications comply with the government’s own standards for verifying user identities, which date back to 2012.

Among the 18 “major” computer systems that have not been given a renewed OK on their security controls, the report notes, are five that are owned by the Chief Information Officer, two that belong to the chief financial officer, and four systems that were inherited by a newly amalgamated National Background Investigation Bureau, a reformed chunk of the bureaucracy that now operates under the Department of Defense.

One of the systems is also owned by the Office of the Inspector General.  Indeed, according to the report, OPM, despite “several initiatives underway,” still lacks a full inventory of its many servers, databases and software, let along the important issue of how they are linked with each other, fundamentals of a robust cyber-defense.

The report drily notes that lack of what it calls a “mature inventory system significantly hinders OPM’s efforts related to oversight, risk management, and securing the agency’s information systems.”

In another section, the document observes that even when OPM scanning turns up less-than-critical weaknesses, the agency does not track the efforts made to correct them, “there is a significantly increased risk that these weaknesses will not be addressed in a timely manner, and that the systems will indefinitely remain susceptible to attack.” 

To fix the problems, or at least address them, the audit report offers up a barrage of 26 recommendations, with notes alongside many of them to show they are repeats of recommendations made years before. 

For its part, the agency management concurs with almost all of them, including new staffing hires and appropriate inventories. It balked slightly, however, at a diffident suggestion that the Director of OPM, currently, Acting Director Beth Colbert, “consider shutting down information systems that do not have a current and valid [security] Authorisation.”   

The agency said it would prefer to make its own “risk-based decision” on whether to keep operating a system without that clearance, then forward it’s evaluation to the OPM head for “ultimate decision.” 

Perhaps that is progress: The Inspector General first made the shut-down suggestion in 2014, the year of the great cyber-theft, without any apparent effect. 

Fox News:      US Navy Personnel Data Breached:  

 After The OPM Hack Security Clearances Will Now Be Done By The Pentagon:

 

 

« On Facebook, Fake US Election News Was More Popular Than Real News
Irish Law Firms Experience 50% Increase In Cyberattacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CalCom

CalCom

CalCom Hardening Solution (CHS) for Microsoft OMS is a security baseline-hardening solution designed to address the needs of IT operations and security teams.

Dermalog Identification Systems

Dermalog Identification Systems

Dermalog Identification Systems is a pioneer in biometry and the largest German manufacturer of biometric devices and systems.

EPIC Insurance Brokers & Consultants

EPIC Insurance Brokers & Consultants

EPIC is an insuarnce broker and consultancy firm. Risk management services include risk consultancy and cybersecurity insurance.

Stratus Cyber

Stratus Cyber

Stratus Cyber is a premier Cyber Security company specializing in Managed Security Services. Our services include Blockchain Security, Pentesting, and Compliance Assessments.

Cypherix

Cypherix

Cypherix is tightly focused on cryptography and data security. We leverage our expertise to deliver state-of-the-art, world-class encryption software packages.

Siemens

Siemens

Siemens Industrial Security Services provide solutions for cybersecurity in automation environments based on the recommendations of the international standard IEC 62443.

Cyber Skyline

Cyber Skyline

Cyber Skyline is a revolutionary cloud platform to practice, develop, and measure your team's technical cybersecurity skills.

Aptum

Aptum

Aptum is a global hybrid multi-cloud managed service provider delivering complex and high-performance cloud solutions with an integrated secure network.

Central Intelligence Agency (CIA)

Central Intelligence Agency (CIA)

The CIA is an independent agency responsible for providing national security intelligence to senior US policymakers. This includes cyber security related activities.

Tidal Cyber

Tidal Cyber

We formed Tidal for one simple reason—we believe that defenders need and deserve tools and services that make achieving the benefits of threat-informed defense practical and sustainable.

PixelQA

PixelQA

Are you looking for a security testing company to cross-check whether your software or mobile app has a possible security threat or not?

Doherty Associates

Doherty Associates

Drawing on our deep industry knowledge and business insight, Doherty deliver intelligent IT solutions and services that help people work more securely, more productively and more creatively.

Illustria

Illustria

Illustria is your agent-less “watchdog” for all open source libraries. Our mission is becoming a dev-velocity company, enabled via cyber security.

Ventum Consulting

Ventum Consulting

Ventum Consulting stands for digitalization, networking and agilization. We take this up on the strategic, professional and technical side and support our customers in the digital transformation.

Everfox

Everfox

Everfox (formerly Forcepoint Federal) has been defending the world's most critical data and networks against the most complex cyber threats imaginable for more than 25 years.

Ampsight

Ampsight

Ampsight specializes in enabling cloud integration, securing data, and navigating complications that drive critical-mission success.